Third Party Risk May Be Your Biggest Risk

As companies move more of their computing into the cloud, risk is shifting from something that you (can) control directly to something that you can influence, but that you need to think about how you can mitigate.

A simple example of this was Amazon’s recent outage. You can’t control when Amazon’s systems go down, but your business depends on them, so you better figure out what you need to do.

Here is another example.

INFOTRAX is a Utah based company that clients use to host some of their IT. Their specialty is software for companies that run multi-level marketing.

In 2016 the company admitted to a security breach where a hacker absconded with the details of about a million of their client’s customers. The FTC said that breach was the result of a vulnerability in the company’s infrastructure that allowed a hacker to upload malicious software and take control of the company’s infrastructure.

Unfortunately, the company did not detect that the hackers were inside their systems, stealing their client’s data for two years, according to the FTC.

So how did they discover that they had been hacked?

The good news is that hackers are stupid, at least some of the time.

The hacker created an archive of data on the company’s network that was so big that the server ran out of disk space.

On top of all of this, Infotrax was storing data unencrypted – Socials, credit card info, bank account info, user names and passwords.

This week the company agreed to a settlement with the FTC which includes a pretty robust security program. Part of that is that for THE NEXT TWENTY YEARS they have to report to the FTC and a senior executive has to personally certify to the FTC regarding the state of their security program every year.

Okay, so that handles Infotrax, but probably most of you are not Infotrax customers.

WHAT MAKES YOU THINK THAT INFOTRAX’S SECURITY PROGRAM – OR LACK THERE OF – IS SIGNIFICANTLY DIFFERENT THAN THE (NON) PROGRAM THAT MANY OF YOUR VENDORS DON’T HAVE? The short answer is not much.

Which means that it is up to you to make sure that all of your cloud vendors (including those where you have a shared security model) have a security program that matches up with the risk that you are willing to ‘own’.

That can be a challenge because, in part, you are dependent on your vendors telling you the truth about the state of their security program. If their program is not great, they are likely to bend the truth a bit to make it look better. After all, how would you know. I am sure that Infotrax didn’t say our security and privacy program is crap.

This puts a lot of burden on you, but you are likely the one that will get sued if your vendor has a breach, so you are motivated to deal with it.

Background on the breach can be found here.

The FTC consent order can be found here.